Posted
by
timothy
on Sunday January 23, 2005 @10:41AM
from the not-just-translucent dept.

mixter writes "Hi. I'd like to point your attention to Ciphire, a fully free and soon-to-be-audited-OpenSource 'Global PKI' project I've been working on for the last three years. As the first three or four thousand geeks started using Ciphire and seem happy, with some tech articles written, I guess the /. community might find this interesting, too. Ciphire hopes to have solved the problems that prevented PGP from a broader deployment, with even higher security standards - as already confirmed by crypto experts Housley & Ferguson. More useful information, e.g. in Wired or in the Nerd^H^H^H^Hexperts FAQ."

Its actually pretty simple. I figured it out just reading the "automatically" but I'll break it down for you. Directly from their website:

"The Ciphire Mail client resides on the user's computer between the email client and the email server, intercepting, encrypting, decrypting, signing, and authenticating email communication. During normal operation, all operations are performed in the background, making it very easy to use even for non-technical users."

I shouldn't have to explain it any further than that here on Slashdot. Thats in the first paragraph of the Technical Explanation of how it works. Later on it lists:

"The Ciphire Mail client consists of three parts: the core client, a graphical configuration interface, and mail connector modules (redirector). Supported email protocols include SMTP, POP3, and IMAP4. The STARTTLS and direct SSL/TLS variants of these protocols are supported as well."

For anyone that didn't get the gist - it basically redirects your mail to its own "server process" sitting on your computer then sends it out to the normal SMTP server. This is using the same technology that the current Mail virus scanners use (Think Symantec), not new technology, just used in a different way.

On the reverse end, the "server" checks the mail and hands it to the email client making everything secure in between.

Pretty simple way of getting Jane and Jon Doe with OE to use it if you ask me. Granted, it needs to be installed by Admin on proper machines, but that shouldn't be too much of an issue for any company that would like to secure their email - especially if you explain and show your network admins that email is USUALLY a plain text security nightmare.

(a) Subject to all of the terms and conditions set forth in this Agreement, Licensor grants to Licensee a non-exclusive, personal, non-transferable, non-sublicensable right, during the term of this Agreement, to use the Software, and the Services solely for Licensee's own Personal Use and in accordance with the applicable documentation and instructions made available by Licensor.

(b) In no event shall Licensee distribute, display, or otherwise make available to any third party, the Software (including any copy, portion, extract, or derivative thereof).

(c) Licensee shall not, and shall not assist, enable or otherwise permit or allow any third party to, (i) alter, adapt, modify, translate, create derivative works of, (ii) except to the extent expressly permitted by mandatory applicable law notwithstanding an agreement to the contrary, decompile, disassemble or otherwise reverse engineer or attempt to derive the source code of, or any technical data, know-how, trade secrets, processes, techniques, specifications, protocols, Key and data-formats, methods, algorithms, interfaces, ideas, solutions, structures or other information embedded or used in, (iii) rent, lend, loan, lease, sell, distribute or sublicense, or (iv) remove, alter or obscure any proprietary or restrictive notices affixed to or contained in, the Software or any copy, portion, extract or derivative thereof. In addition, Licensee shall not provide, disclose or otherwise make available the Software or any copy, portion, extract or derivative thereof, or permit use of any of the foregoing by or for the benefit of any third party (including, without limitation, on a hosting, service-bureau, time-sharing or subscription service basis).

(d) The Software is licensed as a single product package and Licensee shall not, and shall not assist, enable or otherwise permit or allow any third party to, separate the Software, or use any component parts thereof other than as part of the Software as and in the form provided by Licensor.

(e) Licensee shall not use the Software other than in connection with the Key-Data and the Services provided by Licensor under this Agreement.

I've been on the pgp-users mailing list for a long time and the Outlook plugin has been a chronic source of problems for users and developers. Apparently email client plugin interfaces are nonstandard, change with each release, and all too often buggy. The default advice to people running PGP with their mail client evolved into "use the Encrypt Current Window function", which sacrificed integration between key selection and email addressing.

If I understood what the developers said, they wanted to do PGP Universal because they couldn't stand the plugin hassles. PGP Universal and Ciphire may signal a trend toward putting the crypto downstream of the email program.

Don't underestimate usability problems as a barrier to adoption. CMU did a usability study on PGP 5.0 and the results were alarming.